CVE-2026-50257

NameCVE-2026-50257
DescriptionA use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138680, 1138703

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xorg-server (PTS)bullseye2:1.20.11-1+deb11u13vulnerable
bullseye (security)2:1.20.11-1+deb11u17vulnerable
bookworm2:21.1.7-3+deb12u12vulnerable
bookworm (security)2:21.1.7-3+deb12u11vulnerable
trixie2:21.1.16-1.3+deb13u2vulnerable
trixie (security)2:21.1.16-1.3+deb13u1vulnerable
forky, sid2:21.1.23-1fixed
xwayland (PTS)bookworm2:22.1.9-1vulnerable
trixie2:24.1.6-1vulnerable
forky, sid2:24.1.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xorg-serversource(unstable)2:21.1.23-11138680
xwaylandsource(unstable)2:24.1.12-11138703

Notes

[trixie] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
https://www.openwall.com/lists/oss-security/2026/06/02/1
Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f304b57444be3991fd9d3389f309c6eeb056a6c4 (xorg-server-21.1.23)
Search for package or bug name: Reporting problems